Best Practices on Collection and Handling of Credit Card Data by Merchants
The practical tips outlined below on the collection and handling of credit card data by merchants have been developed by the Hong Kong Monetary Authority in consultation with the Office of the Privacy Commissioner for Personal Data for merchants to serve their customers better.
Practical Tips on Collection and Handling of Credit Card Data by Merchants for Card-present Transactions at the Point-of-sale
Since the front and back of a credit card are printed with various information, including the cardholders' name, credit card number, credit card issue and expiry date, CVV number and cardholders' signature, any merchant accepting payment by credit card should ensure compliance with the requirements of the Personal Data (Privacy) Ordinance ("Ordinance") in general and the six Data Protection Principles in Schedule 1 to the Ordinance. Merchants should have written data privacy policies, procedures and practices in this regard.
The six Data Protection Principles include Data Protection Principle 1 (DPP1) that requires an organisation to collect personal data which is adequate but not excessive and for a purpose directly related to its function or activity; and Data Protection Principle 4 (DPP4) which requires an organisation to take practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use. Both Principles 1 and 4 are of particular relevance to merchants in handling card present payments at the point of sale. The following are the tips in this regard.
II. Card-present Transactions and Credit Card Instalment Plans using Card Acceptance Terminals
A. Tips for complying with DPP1
- Use only the card acceptance terminal provided by the relevant acquiring institution for processing the payment transaction (i) by either “dipping” the chip-based card or “swiping” the magnetic stripe card, as the case may be, in order to capture the credit card number and expiry date embedded in the card; and (ii) by inputting the transaction amount for direct transmission to the acquiring institution’s system. No other data is needed nor should be collected from the cardholder for processing the card-present transaction.
- Do not collect credit card data for the purposes of sales analysis, inventory management or any other purposes not related to the card-present transaction by any means or in any form (such as swiping a chip-based credit card or creating an imprint of the credit card on the transaction slip) without obtaining prior consent from the cardholder.
B. Tips for complying with DPP4
- Upgrade card acceptance terminals to accept chip cards as soon as possible to enhance the security of payment transactions.
- Always dip, rather than swipe, the chip-based credit card in the card acceptance terminal when processing a payment transaction to avoid delay (since swiping a chip-based credit card in the terminal would trigger an automatic alert to dip the card instead) and to avoid the possibility of you losing your "Charge Back" rights.
- Do not swipe the credit card for processing a payment transaction unless it is a magnetic stripe credit card or when the chip on the chip-based credit card is not functioning due to damage or other reasons.
- Process the credit card payment within the cardholder's sight when operationally and practically feasible, or upon cardholder's request. To this end, merchants may consider approaching their acquiring institutions to install mobile card acceptance terminals so that dipping or swiping of credit cards will not be out of a cardholder's sight.
- Safely store the merchant copy of the sales slip ("Merchant Copy") in a secure area accessible to only selected personnel and discard the Merchant Copies with caution, e.g., render credit card data unreadable prior to discarding.
- Use the relevant codes on the Merchant Copies in handling any "Charge Back" requests.
- Regularly review and, as appropriate, enhance the relevant systems in safeguarding cardholders' data. Apply routine security checks to prevent any tampering of card acceptance terminals and in order to identify abnormalities, such as extra wiring.
- Promptly notify your acquiring institution(s), the affected individual(s) by appropriate means, and the Office of the Privacy Commissioner for Personal Data, Hong Kong in the event of data leakage and report the case to the Hong Kong Police Force if it involves a criminal element.
- Provide regular training to staff to strengthen their awareness of privacy protection and proper card acceptance procedures.
Non-compliance with Data Protection Principles does not constitute a criminal offence directly. The Privacy Commissioner for Personal Data, Hong Kong may serve an Enforcement Notice to direct the organisation to remedy the contravention. Contravention of an enforcement notice is an offence which could result in a fine of HKD50,000 and imprisonment for 2 years. If the offence continues after the conviction, the organisation is liable to a daily penalty of HKD1,000.
These are just some of the tips that you can implement to assist you in complying with the Ordinance. For further information, please check out the Office of the Privacy Commissioner for Personal Data’s website at www.pcpd.org.hk.